083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1

Analysis

max time kernel
45s
max time network
75s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 10:23

Target

083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
Size

2.3MB
MD5

2abafaae5efc29548beafec5825bacf1
SHA1

2bc0cf5c49054b2ce48029601edce74e675f8713
SHA256

083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1
SHA512

94315e11283f4f68a69d350279a50d5df246cbdc64de0791a64a80fe05d5ccc745dac769ea09c4681299e9865de79658109c5d8b495bb4bbedac5853951f1ab4
SSDEEP

49152:08Kxgj8I94w3LHgy8gBNNrUO3CYP/6qr+1rjaZV5xc2pZBZFpZ:08jj8I9441YOyYP/6qr+i

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\khpepfegmoiioaohhcfinmlibnfcbjpe\2.0\manifest.json	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\khpepfegmoiioaohhcfinmlibnfcbjpe\2.0\manifest.json	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\khpepfegmoiioaohhcfinmlibnfcbjpe\2.0\manifest.json	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe
1132	083da462845ec9d24bbc86bf05a61880e60d73ead040196dfa98962bebb6b7d1.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1132-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1132-55-0x0000000002370000-0x0000000002413000-memory.dmp

Filesize
652KB

Download